 |
|
The #1 unofficial ISA Server resource site |
ISAserver.org Newsletter of December 2003 |
Sponsored by: Rainfinity
ISAserver.org Newsletter
December, 2003
In this issue:
Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org.
Special Offer for Microsoft Customers from Rainfinity
Try the first integrated internet connection and firewall high availability solution for Microsoft ISA Server-- Free for 30 days!
Rainfinity enables ISA Server to handle multiple external interfaces and brings fault tolerance to your ISA Server gateway to avoid business continuity disruptions and save you thousands of dollars per year! Download RainConnect and RainWall--each designed for Microsoft ISA Server today!
|
1. ISA Server VPNs, ISA Firewall Appliances and Exchange RPC Protection
By Thomas W Shinder, M.D.
It’s been a while since I had a chance to communicate with you via the newsletter and there’s a lot of cool stuff going on that I want to let you know about. There are two “big things” that all ISA Server firewall admins will be interested in. These are ISA Server 200-based VPN servers and gateways, and the strong possibility that we’ll soon have an ISA Server appliance to drop into our server racks and rooms.
One of the most popular Web boards at http://forums.isaserver.org is the VPN section. We frequently create co-located VPN server/gateway and firewall machines. This is an attractive offering because you don’t have to pay extra for the VPN server/gateway component, and the ISA Server firewall software includes some helpful Wizards that do most of the heavy lifting when it comes to the VPN server/gateway configuration. You just need to perform a couple of tweaks and you’re good!
The problem with all VPN server/gateway configurations is that there are a lot of details you need to take care of in order to get them to work right. The problem is that while all the information you need to get them to work is out there somewhere, it’s hard to find the step by step information you need to make it work.
Here’s where I have some good news for you. Microsoft saw this was a problem and has, with a little help from me, put together an ISA Server 2000 VPN Deployment Kit. This kit includes all the info you need to get your co-located ISA Server firewall/VPN server/VPN gateway working from “flag fall to that’s all”.
What’s really great is that Microsoft has given us permission to put all 30 of the VPN Deployment Kit documents on the www.isaserver.org web site! You’ll be able to download the entire kit from Microsoft in Microsoft Word or PDF format, or read the articles online on the ISAServer.org site. Remember, you can also print out the articles posted on www.isaserver.org using the printer friendly format. So, no matter where you are, you’ll be able to get the ISA Server VPN information you need to get up and running.
Click here for ISA Server 2000 VPN Deployment Kit
Now for the second big thing. We ran a survey here at www.isaserver.org a couple of months ago regarding the potential popularity of an ISA Server firewall appliance. This appliance would be a dedicated firewall appliance, no Web sites or Exchange Servers installed on it! The survey demonstrated this is a very popular idea, with over 90% of the almost 120 respondents saying an ISA Server firewall appliance is a must have for people running Microsoft networks behind the firewall.
I’ve had the opportunity to work with some companies who are working on making this wish a reality. These ISA server firewall appliances are in different form factors: one of them is a nice “set top” version that’s no bigger than an 8-port unmanaged switch, and the other is an impressive looking 1U rack mountable professional unit that will hold its own in any server room.
These ISA Server firewall appliances are a cut above the typical ISA Server offering because:
- They are dedicated devices – no Web servers, FTP servers or Exchange Servers are installed on them
- They are pre-hardened in a way that locks down the underlying Windows 2000 OS and firewall software without compromising the functionality of the firewall
- These boxes work “out of the gate” and the installation Wizards walk you through the installation so that you have the outbound access your need while obtaining complete protection from external attack
- These ISA Server 2000-based firewall appliances will include some useful add-on’s such as enhanced reporting and alerting, intelligent bandwidth control and maybe even a usable VPN Quarantine (VPN-Q) feature that makes the Windows Server 2003 VPN quarantine facility included with Windows Server 2003 accessible to the busy Microsoft network administrator who doesn’t have time to write complex scripts or applications.
Finally, a word about the recent outbreak of RPC worm activity. Almost all of you are aware of the MSBLASTER worm and its variants. If not, then head on over to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/msblaster.asp and learn about it. This worm takes advantage of an RPC problem seen in machines that have not been patched with the fix noted in http://support.microsoft.com/default.aspx?kbid=823980.
One of the more problematic issues for ISA Server firewall administrators is impaired access to outbound TCP port 135. The RPC endpoint mapper uses this port and access to it is required if you want to allow outbound access for the full Outlook MAPI client to an Exchange Server on the Internet, or if you want to publish an Exchange Server on the internal network and allow remote users access using the “big Outlook”.
Many ISPs have shut down TCP port 135 because of the Blaster worm and its variants. Because of this, your users are calling you wanting to know what to do. There’s no easy solution. You can call the ISPs and beg them to “open the port” and try to explain to them that ISA firewalls are immune to this exploit. Sometimes they listen to reason, more often they don’t. I suspect that your remote users will need to connect to ISPs that don’t provide this kind of “help” until the furor has died down or use Outlook Web Access via SSL.
In closing, I’d like to say that I think its pretty foolish for ISPs to shut down TCP 135 because of a single class of exploit. How many exploits move over TCP 25 (SMTP), TCP/UDP 53 (DNS), TCP 80 (HTTP), TCP 110 (POP3), TCP 119 (NNTP) and TCP 443 (SSL)? Will they start blocking those ports too? This type of port blocking is a loser’s game and the only answer is to bring application aware firewalls into this mix (like ISA Server 2000) to prevent exploit code from doing its damage.
What do you think? Let me know! Send me a note at tshinder@isaserver.org and I’ll share the results in the next newsletter. Thanks! –Tom.
2. ISA Server and Beyond Book and ISA Server and Beyond Seminars Now Available
By Thomas W Shinder
ISA Server and Beyond is now available! ! We've included tons of stuff on DMZs, firewall chaining, hierarchical Web caching (Web Proxy chaining), SSL bridging, SSL publishing, OWA, Secure IMAP4/SMTP/POP3 publishing, and publishing services on the ISA Server itself! Most of this stuff isn't described anywhere else. If you're ready to take ISA Server 2000 to the next level, then this is a book you must have.
Click here to order ISA Server and Beyond from Amazon.com today!
Are you wrestling with ISA Server? Need to get your head around what makes ISA Server tick? If so, consider my one-day seminar on ISA Server. I'll bring meaning to inbound and outbound access, ISA Server client types, Web and Server Publishing, and VPN Servers and VPN Gateways. I guarantee you'll learn something new and maybe even have fun along the way. The next seminar is May 9th here in Dallas, Texas. Click HERE for more info and I hope to see you there!
|
Click here to Order your
copy today
|
Special Offer for Microsoft Customers from Rainfinity
Try the first integrated internet connection and firewall high availability solution for Microsoft ISA Server-- Free for 30 days!
Rainfinity enables ISA Server to handle multiple external interfaces and brings fault tolerance to your ISA Server gateway to avoid business continuity disruptions and save you thousands of dollars per year! Download RainConnect and RainWall--each designed for Microsoft ISA Server today!
|
3. ISAserver.org Learning Zone articles of Interest
We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:
4. KB Articles of the Month
Here are some interesting and useful ISA Server related Q articles posted by
Microsoft in the last month:
5. Post of the Month
Many people have had problems with getting WebDav Web Publishing Rules to work right. Jay Lindgren worked long and hard on this problem and shares his success with ISAserver.org Web board readers:
"Finally I solved it. So what did I do? I was investigating a reinstall of the MS FrontPage Server extensions. But all I found was that these where updated during the Windows 2000 Service Pack 3 installation. Maybe with the Service Pack 4, too. Then I came across the URLScan tool. When I read about it on the Microsoft KB pages I found the link to the config file urlscan.ini. I looked at it and found out that it didn´t allow OPTIONS, HEAD and PUT. So I reconfigured it with these parameters.
So the solution for people who aren’t succeeding with their WebDAV connections:
1. Setup:
Windows 2000 Service Pack 4
SBS 2000 Service Pack 1
ISA Service Pack 1
Apply all service packs and the Microsoft Q article Q304340.
2. Check your permissions on affected folders.
For complete info about configuring WebDAV search WebDAV on www.iisfaq.com.
Configuring IIS for WebDAV
WebDAV info
3. If it's not working after these steps, then do this:
4. Check your FP or IIS permissions.
Follow the Microsoft Article Q216705
How to Set Permissions on a FrontPage Web on IIS
5. Change all WebDAV communication to HTTP so you can monitor the traffic. Use Network monitor or Ethereal (www.ethereal.com) to sniff the communication between your client and server.
6. In the packet trace, check for the OPTIONS, HEAD and PUT and see if you get your errors (not allowed) there.
7. Then check your urlscan.ini in C:\Program Files\Microsoft ISA Server. If this file allows OPTIONS, HEAD and PUT under [AllowVerbs] then the error depend on something else.
Follow the Microsoft Article Q309394
HOW TO: Use URLScan with FrontPage 2000
8. Eventually configure the FrontPage Server Extensions.
Follow the Microsoft Article Q205696
How to Install FrontPage 2000 Server Extensions for Internet Information Server
Hopefully this helps anyone who has problems connecting to a WebDAV enabled folder or Web folder. Thanks to everyone!"
Thanks Jay!
Special Offer for Microsoft Customers from Rainfinity
Try the first integrated internet connection and firewall high availability solution for Microsoft ISA Server-- Free for 30 days!
Rainfinity enables ISA Server to handle multiple external interfaces and brings fault tolerance to your ISA Server gateway to avoid business continuity disruptions and save you thousands of dollars per year! Download RainConnect and RainWall--each designed for Microsoft ISA Server today!
|
6. ISA Server Links of the Month
Speaking of the Blaster worm, did you know that it protects you from external RPC attacks, as well as outbound RPC attacks? You bet! In fact, Microsoft has put together its official recommendations on how to lock down your ISA Server 2000 firewall even more to get the highest level protection against this exploits. Check it out at:
http://www.microsoft.com/isaserver/techinfo/prevent/blasterworm.asp
The Blaster worm isn't the only bug you have to worry about. The Sobig.F worm is doing a lot of damage too. The good news is that your ISA Server 2000 firewall protects you against this worm as well. Check out Microsoft's official recommendations on how to configure the ISA Server 2000 firewall to protect you against Sobig.F here:
http://www.microsoft.com/isaserver/techinfo/prevent/sobig.asp
ISA Server 2000 tools, tools, tools, tools and more tools! You have a problem that doesn't seem to have a fix? Don't give up until you've searched www.isaserver.org and the Jim Harrison's site, ISATools.org. The scripts and fixes he has there are too numerous to count. Check it out and see if there's something there just for you:
http://isatools.org
Are you having problems with Instant Messenger? My solution is to ban it from the network! However, not everyone has the luxury of just removing this dangerous app from his production network. Check out this article on Instant Messaging with ISA Server from the ISA Server 2000 team for everything you ever wanted to know about this subject:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/maintain/isaimsec.asp
7. Ask Dr. Tom
QUESTION: We're thinking about using our ISA Server to do more than inbound and outbound access control. We want it to prevent viruses and worms and stuff like that out of the network. Can you tell me how ISA Server can help me do this and how to make it work? Thanks a bunch! --Richard.
ANSWER: There are several ways you can use your ISA Server firewall to protect the network against viruses and worms. The first step is to think about how viruses and worms enter the network. Avenues of entry include:
- HTTP and FTP downloads
- SMTP and POP3
- NNTP
- Instant Messengers and Peer to Peer applications
You can use ISA Server Site and Content rules to block file downloads via HTTP and FTP. However, the Site and Content Rule content control mechanism can be a bit confusing and difficult to implement in a busy and complex production environment.
I've been using GFI Software's DownloadSecurity for quite a while and its been a life saver on a number of occasions. They've released a new version recently and it has some nice improvements including better performance, sophisticated decompression algorithms that check for exploits contained in compressed files, and the ability to expose files to antivirus inspection by up to four AV engines. Definitely worth checking out at http://www.gfi.com/dsec/
If you host your own mail services, you can use the built-in ISA Server SMTP Message Screener. It can check for keywords, source domains and users and attachment names and types. The built-in SMTP Message Screener is useful for quick inspection, but it suffers from being difficult to manage and almost impossible to back up your lists of blocked keywords and attachments. In addition, the built-in SMTP Message Screener doesn't support full inspection of HTML messages.
I'm a big fan of MailSecurity 8.0. This industrial strength spam and virus whacking app can check for keywords, viruses, worms and a lot more. It subjects all messages to up to four antivirus engines and then goes one step further to check for advanced exploits contained in malicious email messages. I consider this a must have app on any SMTP relay or Exchange Server. Check out http://www.gfi.com/mailsecurity/
As for POP3, I recommend you never allow users outbound access to POP3 servers. You have no control over the POP3 server the user is connecting to and you don't know the level of diligence the SMTP/POP3 administrator gives to controlling viruses and worms in message on that server.
NNTP is an even bigger problem. I'm not aware of any NNTP application filters that inspect the content of NNTP messages downloaded by the common NNTP client software. This would be a popular filter and perhaps a third party will step up to the plate and provide such a NNTP filter in the future. Newsgroups are often the first place that worldwide worms appear and NNTP content control and inspection would be a great idea!
Instant Messengers and P2P programs can be deadly to any network and you'd be wise to control use of these apps as soon as possible. Not only do these apps expose you to dangerous viruses and worms, they also potentially expose you to enormous legal liability. These so-called "warez apps" can be controlled at the client level but the trick is how do you find them and erase them from your network? Even more problematic is that some organizations demand that some users be allowed to use these apps while all others are blocked.
There's no easy solution to this problem if you try to go it alone. However, if you're willing to check out a third party app, then you can't go wrong with with Akonix L7 Enterprise for ISA Server. This extremely powerful application gives you total control over messengers and P2P apps. It helps you log, record, report and beat down abusive users who try to subvert network security with instant messengers, P2P programs and other popular "warez" applications. Check it out at http://www.akonix.com/products/l7_isa.asp
Special Offer for Microsoft Customers from Rainfinity
Try the first integrated internet connection and firewall high availability solution for Microsoft ISA Server-- Free for 30 days!
Rainfinity enables ISA Server to handle multiple external interfaces and brings fault tolerance to your ISA Server gateway to avoid business continuity disruptions and save you thousands of dollars per year! Download RainConnect and RainWall--each designed for Microsoft ISA Server today!
|
|
|
Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2003. All rights reserved.
|
|